Cybersecurity FAQ - What is Cybersecurity? What is Cyber Hygiene?

Please contact us regarding any additions or corrections to be made to this page.

General Questions

What is cybersecurity?

Cybersecurity is the collection of technologies, processes, and practices that protect networked computer systems from unauthorized use or harm. Broadly speaking, cybersecurity topics can be subdivided into two complementary areas: cyber attacks, which are essentially offensive and emphasize network penetration techniques; and cyber defenses, which are essentially protective and emphasize counter-measures intended to eliminate or mitigate cyber attacks.

Cyber attackscan take aim at the enterprise, government, military, and other infrastructural assets of a nation or its citizens, where these assets can include physical infrastructure (e.g., power grids, nuclear reactors) as well as computational infrastructure (e.g., computers, networks). Cyber attacks can be classified by their participating actors (states vs. non-states) and their attack mechanisms (e.g., direct attack, malware, exploits). See the Cyber Attack Classifications and Cyber Attack Mechanism Taxonomy sections on the Cyber Threats page for more information.

Correspondingly,cyber defensesmust protect the enterprise, government, military, and other infrastructural assets of a nation or its citizens. As is the case with cyber attacks, cyber defenses can be classified by their participating actors (states vs. non-states) and their attack mechanisms (e.g., direct attack, malware, exploits). See the Cyber Defense Classifications and Cyber Defense Countermeasure Taxonomy sections on the Cyber Defenses page for more information.

Why do we need cybersecurity?

The increasing reliance of our information age economies and governments on cyber (computer-based) infrastructure makes them progressively more vulnerable to cyber attacks on our computer systems, networks and data. In their most disruptive form, cyber attacks target the enterprise, government, military, or other infrastructural assets of a nation or its citizens. Both the volume and sophistication of cyber threats (cyber warfare, cyber terrorism, cyber espionage and malicious hacking) are monotonically increasing, and pose potent threats to our enterprise, government, military, or other infrastructural assets. Knowing that to be forewarned is to be forearmed, we are well advised to effect strong Cybersecurity defenses that will thwart rapidly evolving cyber threats.

Recent newsworthy cyber attacks on critical cyber infrastructure (e.g., Target data breach, Mt. Gox bitcoin hacker attacks, NSA data leaks and subsequent PRISM revelations) demonstrate the urgent need for improved cybersecurity. As cyber threats grow, so must our abilities to neutralize them. Towards that end the U.S. government issued an Executive Order for Improving Critical Infrastructure Cybersecurity in February 2013, and the 2014 President's Budget devotes over $13B to cyber-related programs and activities [Federal Information Technology FY 2014 Budget Priorities, p. 15]. The European Union Agency for Network and Information Security (ENISA) lists all known public documents of National Cyber Security Strategies in the EU as well as the rest of the world.

What is a cyber attack?

cyber attack: An offensive action by a malicious actor that is intended to undermine the functions of networked computers and their related resources, including unauthorized access, unapproved changes, and malicious destruction. Examples of cyber attacks include Distributed Denial of Service (DDoS) and Man-in-the-Middle (MITM) attacks.

What is a cyber threat?

cyber threat: A potential cyber attack, which may be assigned a probability of occurrence that can be used for cyber risk assessment.

What is a cyber risk?

cyber risk: A risk assessment that has been assigned to a cyber threat, such as DDoS attack or a data breach. A cyber risk assessment may be either qualitative or quantitative, where the latter should estimate risk (R) as a function of the magnitude of the potential loss (L) and the probability that L will occur (i.e., R = p * L).

What are the differences among the terms cyber attack, cyber threat & cyber risk?

The terms cyber attack, cyber threat, and cyber risk are interrelated as follows. A cyber attack is an offensive action, whereas a cyber threat is the possibility that a particular attack may occur, and the cyber risk associated with the subject threat estimates the probability of potential losses that may result.

For example, a Distributed Denial of Service (DDoS) cyber attack by a botnet is a cyber threat for many enterprises with online retail websites, where the associated cyber risk is a function of lost revenues due to website downtime and the probability that a DDoS cyber attack will occur.

What are the differences among the terms cyber attack, cyber warfare, cyber crime & cyber terrorism?

The differences among the terms cyber attack, cyber warfare, cyber crime, and cyber terrorism are best explained in terms of their actor (perpetrator) and attack effect (equivalent result) characteristics, as shown in the following table.

Classification

Actor

Attack EffectEquivalency

Cyber Attack[generic]

TBD

TBD

Cyber Warfare[includes Cyber Espionage, Cyber Sabotage]

State[nation]

war act

Cyber Crime

Non-State(individual/organization)

criminal act

Cyber Terrorism

Non-State(individual/organization)

terrorism act

What is malware?

Malware is an umbrella term derived from "malicious software", and refers to any software that is intrusive (unauthorized access), disruptive, or destructive to computer systems and networks. Malware may take many forms (executable code, data files) and includes, but is not limited to, computer viruses, worms, trojan horses (trojans), bots (botnets), spyware (system monitors, adware, tracking cookies), rogueware (scareware, ransomware), and other malicious programs. The majority of active malware threats are usually worms or trojans rather than viruses.

The following table summarizes the similarities and differences among selected common malware types.

It is my judgment that the Internet itself is for the most part secure, though there are steps we know can be take to improve security and resilience. Most of the vulnerabilities arise from those who use the Internet--companies, governments, academic institutions, and individuals alike--but who do not practice what I refer to as good cyber hygiene. They are not sufficiently sensitive to the need to protect the security of the Internet community of which they are a part. The openness of the Internet is both its blessing and its curse when it comes to security.

Cyber hygiene related activities for computer system administrators include, but are not limited to, segmenting networks, enforcing compartmentalized ("need to know") user permissions, enforcing strong password rules and bi- or multi-authorization procedures, ensuring that firewalls are properly installed, updating both “white lists" and "black lists", ensuring that all antivirus and spam ware protection software is properly installed, removing all unauthorized software, ensuring that all firmware and software patches are current.

Cyber hygiene related activities for computer system users include using strong passwords which are changed frequently and not written down, avoid accessing cybersecure systems on unauthorized and/or non-secure BYODs (Bring Your Own Devices), avoid mixing personal with cybersecure email and/or work documents.

The cyber- prefix generally denotes something to do with cyberspace, the virtual environment that consists of all networked computers, whose interconnections comprise the Internet-of-Things (IoT). For example, in the context of cybersecurity (= cyber + security) it is common to speak of cyber threats, cyber attacks, cyber defenses, and cyber countermeasures.

What is cyberspace?

Cyberspace is the virtual environment that consists of computer systems and networks, where all computers communicate via networks and all networks are connected. The term originated in science fiction during the 1980s and became popular during the 1990s. More recently computer vendors are attempting to brand cyberspace as the "Internet of Things" (IoT).

What is the best way to learn cybersecurity?

The best way to learn cybersecurity, as well as other technologies, is to combine the best of theory (principles and) with hands-on best practices. If you don't have ready access to a cybersecurity guru, check out the cybersecurity training services on the Cybersecurity Training page of this web.

Cyber Attack FAQ

Although most people understand what spamware is without a formal definition, the most common malware types (viruses, worms, trojans, and bots) are frequently confused by computer experts (who are not cybersecurity experts) and computer noobs like.

The following table summarizes the similarities and differences among viruses, worms, trojans, and bots.

Background: The term asymmetric warfare describes war between belligerents whose relative military powers differ significantly, or whose strategies or tactics differ significantly. The weaker belligerents in asymmetrical warfare frequently apply the strategies and tactics of unconventional warfare (a.k.a., guerrilla warfare) to offset their deficiencies in military quantity and quality. Compare with symmetric warfare, where the belligerents possess comparable military powers and apply similar strategies and tactics.

Cyber warfare is considered to be a kind of asymmetric warfare because it potentially allows for significantly weaker actors (including nation states, terrorist organizations, criminal organizations, and “lone wolf” individuals) to wreak substantial financial and infrastructure damage on vastly more powerful nation states.

For those keeping score, cyber breaches are monotonically increasing in both frequency and scope. See 2014 Internet Security Threat Report, Volume 19 [Symantec 2014]. Since no reversal of this trend is currently in sight, it appears that the cyber bad guys are on a winning streak.

Background: In general usage, a firewall is a fire-resistant barrier that is used to prevent the spread of fire for a prescribed period of time. Fire walls are built between or within buildings, or within an aircraft or vehicle.

In the context of computer networks, a firewall is a network security system that monitors incoming and outgoing network message traffic and prevents the transmission of malicious messages based on an updatable rule set. In effect a firewall establishes a barrier between a trusted, secure internal network and external networks (e.g., the Internet) that are assumed to be untrustworthy and non-secure. Firewalls can be implemented as software that runs on general-purpose hardware (e.g., an open source firewall on a Windows PC or Mac OS X computer) or a dedicated hardware device (appliance).

How does a firewall work? In essence, firewalls function as a filter between a trusted, secure internal network and external networks (e.g., the Internet) that are assumed to be untrustworthy and non-secure. The firewall filter may be flexibly programmed to control what information packets are allowed and blocked.

Anti-virus software, a.k.a anti-malware software, is computer software used to scan files to identify and eliminate malicious software (malware). Although anti-virus software was originally developed to detect and remove computer viruses (hence its name), it has been broadened in scope to detect other malware, such as worms, trojan horses, adware, spyware, ransomware, etc.

How does anti-virus software work? Anti-virus software typically uses two different techniques to identify and eliminate malware:

Virus dictionary approach: The anti-virus software scans a file while referring to a dictionary of known virus signatures that have been previously identified. If a code segment in the file matches any virus signature in the virus dictionary, then the anti-virus software performs one or more of the following operations: deletes the file; quarantines the file so that it is unable to spread; or attempts to repair the file by removing the virus from the file.

Suspicious behavior approach: The anti-virus software monitors the behavior of all programs, flagging suspicious behavior, such as one executing program attempting to write date to another executable program. The user is alerted to all suspicious behavior, and is queried regarding how the suspicious behavior should be handled.

An advantage of the suspicious behavior approach over the virus dictionary approach is that the former can provide protection against new viruses whose signatures have not yet been incorporated into the latter’s virus dictionary. The two approaches are complementary and can be synergistically combined.

In the context of cybersecurity, static perimeter-based cybersecurity refers to cyber defenses which focus on preventing cyber attacks from penetrating their network external boundaries (perimeters) using firewalls, anti-virus software, and other anti-malware scanners. While this traditional cyber defense approach may work against external malware attacks that are already known, it has been proven ineffective against cyber attacks by new malware (whose attack signatures are uknown) and knowledgeable trusted insiders (e.g., Edward Snowden’s notorious insider attack on NSA in 2013).

In the context of software-intensive systems the term framework may refer to either a computer/network architecture (i.e., an architecture framework) or a process (i.e., a process framework). Consequently, in the context of software-intensive cybersecurity systems the term cybersecurity framework may apply to either a cybersecurity architecture framework or a cybersecurity process framework, depending upon whether the framework emphasizes architecture elements (e.g., cybersecurity network devices, secure communication protocols) or process activities (e.g., guidelines, best practices).

A prominent example of a cybersecurity process framework is the NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure, first published by NIST in 2014. The NIST cybersecurity process framework was created through collaboration between U.S. government and industry, and consists of industry standards, guidelines, and best practices aimed at protecting critical information infrastructure.

At present, there are no industry-standard cybersecurity architecture frameworks, but there is a proliferation of ad hoc efforts to make computer network architectures more cybersecure by enhancing and extending network architectures with cybersecure hardware, firmware, and software mechanisms.

The NIST cybersecurity framework was created through collaboration between U.S. government and industry, and is voluntary guidance for a broad range of organizations to better manage and reduce their cybersecurity risks. The framework consists of industry standards, practical guidelines, and best practices for managing and reducing cybersecurity risks, and can be applied to diverse organizations—both government and commercial, ranging from small-to-large in size. The NIST cybersecurity framework is also designed to foster communications among internal and external organization stakeholders, so they can better collaborate to manage and reduce cybersecurity risks.

Since the NIST cybersecurity framework is voluntary guidance, rather than mandated regulations, organizations in different economic sectors are expected to customize the framework to address their specific cyber risks and cybersecurity needs. For more information about the NIST cybersecurity framework see the NIST Cybersecurity Framework FAQ.

Alternative FAQ Phrasings: What is a cybersecurity architecture? | What is a cyber architecture?

As noted in the previous response to the FAQ: What is a cybersecurity framework? currently there are no industry-standard cybersecurityarchitecture frameworks, but there is a proliferation of ad hoc efforts to make computer network architectures more cybersecure by enhancing and extending network architectures with cybersecure hardware, firmware, and software mechanisms.

Cybersecurity & Cryptography FAQ

Cryptography (a.k.a. cryptology) is the practice of techniques for secure (confidential or private) communication in the presence of third parties, referred to as adversaries in this context, because the latter may intercept and compromise (usually by decoding or deciphering) the secure communication for nefarious purposes. In general practice, cryptography is concerned about designing and analyzing secure communication protocols that thwart adversaries. Cryptographic techniques tend to be multi-disciplinary, and involve the disciplines of mathematics, computer science and electrical engineering. Common applications of cryptography include computer passwords, ATM cards, smart credit cards, and electronic commerce transactions.

Usage Note: The term cryptography is sometimes conflated with the term cryptology, where the former is the practical application of secure communication techniques, whereas the latter is the formal study of these techniques.

Since cybersecurity defenses are typically based on strong authentication and encryption techniques, which the latter are based on cryptography techniques, cryptography is an key enabling technology for cybersecurity.

For a general overview of cryptography the application of encryption techniques to cybersecurity see the following FAQs:

Encryption is the process of encoding of messages or other information, referred to as plaintext, into ciphertext, in a manner so that only the encoder or other authorized parties can convert the cyphertext back to plaintext. Stated otherwise, ciphertext is encoded (i.e., encrypted), whereas plaintext is decoded (i.e., decrypted). Although encryption does not inherently prevent message interception or information access, in effect it denies information content to interceptors who may be adversarial in nature.

Decryption is the inverse process of encryption, in which encoded messages, referred to as ciphertext, are decoded into plaintext, so that their original unencrypted content may be read.

A cryptography key is an input parameter to a cryptographic algorithm or cipher function, which uniquely encodes plaintext (messages or other information) into ciphertext during encryption, and vice versa during decryption. (See the What is encryption? What is decryption? FAQ).

To explicate further, consider the following pseudocode for the complementary cryptographic algorithm functions encode and decode with parameters plaintext, cryptokey, and ciphertext:

encode (plaintext: String; cryptokey: String): ciphertext: String

decode (ciphertext: String; cryptokey: String): plaintext: String

The input and output parameters for encode and decode functions are described below:

plaintext: the unencrypted message or other information which is an input parameter to the encode function, and is a return parameter for the decode function.

ciphertext: the encrypted message or other information which is a return parameter for the encode function, and is an input parameter for the decode function.

cryptokey: the cryptographic key used by both the encode and decode functions to encrypt and decrypt the plaintext and ciphertext parameters respectively. Note that the cryptokey need not be identical for both encryption and decryption.

Note that the cryptographic keys used for for encryption and decryption needn’t be symmetrical (i.e., identical). Indeed, for public-key encryption systems the cryptographic keys are asymmetrical. See the What is public-key encryption? FAQ for details.

In addition to encryption and decryption algorithms, cryptographic keys can be used for other cryptographic algorithms, such as digital signature schemes and message authentication codes.

Public-key encryption is an asymmetrical cryptographic system which uses a pair of mathematically related cryptographic keys:

public key: As its name implies, the public cryptographic key is widely known. Public keys are typically made available via a public directory or repository.

private key: As its name implies, the private cryptographic key is confidential, and is closely held by the message recipient or information concealor.

The cryptographic key pair is mathematically related in the sense that whatever is encrypted via a public key can only be decrypted via a private key, and vice versa.
For example, if Chauncey wants to send a confidential message to Chelsea, and wants to ensure that only Chelsea can read it, Chauncey can encrypt the message with Chelsea’s public key. Only Chelsea, or someone with access to her corresponding private key, will be capable of decrypting the encrypted message back into its original unencrypted form. Even if someone intercepts Chelsea’s encrypted message druing transmission, its contents will remain confidential if the interceptor lacks access to Chelsea’s private key, which is essential for decryption.

To explicate further, consider the following pseudocode for the complementary cryptographic algorithm functions encode and decode with parameters plaintext, ciphertext, publickey, and privatekey, where the last two parameters represent a complementary public-private cryptographic key pair:

encode (plaintext: String; publickey: String): ciphertext: String

decode (ciphertext: String; privatekey: String): plaintext: String

The input and output parameters for encode and decode functions are described below:

plaintext: the unencrypted message or other information which is an input parameter to the encode function, and is a return parameter for the decode function;

ciphertext: the encrypted message or other information which is a return parameter for the encode function, and is an input parameter for the decode function.

publickey: the public cryptographic key used by encode as an input parameter to encrypt the plaintext input parameter.

privatekey: the private cryptographic key used by decode as an input parameter to decrypt the ciphertext input parameters.

End-to-end encryption is a term used to describe a communication system where the only the sender (the origin end) and the recipient (the destination end) of a message, and no intermediaries, can read the subject message, which is rigorously encrypted throughout its transit from the source end to the receiver end. When end-to-end encryption is properly implemented, only the sender and the recipient of the message possess the cryptographic keys needed to decrypt the message—even the intermediate message service has zero knowledge of the cryptographic keys required.

In the context of end-to-end encryption for secure data communications and secure data storage, zero-knowledge privacy refers to specific qualities that servers must possess to ensure confidentiality while transmitting or storing client data (message, files, database entries, authentication information, cryptographic keys, file metadata). As a general principle, a zero-knowledge privacy server must never be allowed to read or write client data as plaintext (i.e., unencrypted; compare ciphertext or encrypted), including authentication information, cryptographic keys, and file metadata. Consequently, for most practical purposes the confidentiality of the client data on the server cannot be compromised via internal mismanagement (including internal prying eyes) or external agents (e.g., cyber hackers).

The mathematical basis for ensuring zero-knowledge privacy can be traced to zero-knowledge proofs (a.k.a. “ZK proofs”), which are among one the most powerful tools cryptographers have ever devised. For an introduction to zero-knowledge proofs, see Zero Knowledge Proofs: An illustrated primer.

While many vendors of data storage claim end-to-end encryption, many fall short of zero knowledge privacy standards because they either read or write client data and authentication information as plaintext sometime during the end-to-end data transmission or storage processes, typically for client convenience. For example, consider the case of a File Synchronization & Sharing Tool user who uploads a local file on her desktop computer to her cloud-based storage server using a web-based interface. While the web-based interface may be convenient to the user, when she enters her authentication information directly into the web-based interface as plaintext she is compromising the confidentiality of the file she is uploaded, since the cloud-based server can read the unencrypted file along with the associated metadata and authentication information prior to encryption. Consequently, if the cloud-based server is compromised by either an external or internal cyber threat, any encrypted stored data is also potentially compromised.

Compare this with a bona fide zero-knowledge privacy approach, where the user utilizes a dedicated secure app to fully encrypt the file prior to uploading it to the cloud-based server using the SSL (Secure Socket Layer) protocol during transmission, and the secure app provides neither metadata nor unencrypted password information to the cloud-based server.